Update secure-webhook-endpoint.md

valindrae · web-flow · commit f3cd3700deff · 2025-06-04T00:48:23.000-07:00
add websocket authentication
diff --git a/articles/communication-services/how-tos/call-automation/secure-webhook-endpoint.md b/articles/communication-services/how-tos/call-automation/secure-webhook-endpoint.md
@@ -15,7 +15,7 @@ services: azure-communication-services
 zone_pivot_groups: acs-js-csharp-java-python
 ---
 
-# How to secure webhook endpoint
+# How to secure webhook endpoints and websocket connections
 
 Securing the delivery of messages from end to end is crucial for ensuring the confidentiality, integrity, and trustworthiness of sensitive information transmitted between systems. Your ability and willingness to trust information received from a remote system relies on the sender providing their identity. Call Automation has two ways of communicating events that can be secured; the shared IncomingCall event sent by Azure Event Grid, and all other mid-call events sent by the Call Automation platform via webhook.
 
@@ -45,6 +45,23 @@ A common way you can improve this security is by implementing an API KEY mechani
 [!INCLUDE [Secure webhook endpoint with Python](./includes/secure-webhook-endpoint-python.md)]
 ::: zone-end
 
+## Call Automation websockets events
+### Authentication Token in WebSocket Header 
+Each WebSocket connection request made by Call Automation now includes a signed JSON Web Token (JWT) in the Authentication header. This token can be validated using standard OpenID Connect (OIDC) JWT validation methods.
+  - The JWT has a lifetime of 24 hours.
+  - A new token is generated for each connection request to your WebSocket server.
+  - More details are available in the official documentation:
+Secure webhook endpoint – Azure Communication Services
+
+### Additional Headers:
+ The Correlation ID and Call Connection ID are now included in the WebSocket headers for improved traceability.
+
+## IP Range 
+| Category | IP ranges or FQDN | Ports | 
+| :-- | :-- | :-- |
+| Call Automation Media | 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38|	UDP: 3478, 3479, 3480, 3481|
+| Callback URLs | *.lync.com, *.teams.cloud.microsoft, *.teams.microsoft.com, teams.cloud.microsoft, teams.microsoft.com 52.112.0.0/14, 52.122.0.0/15, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443, 80 UDP: 443 |
+
 ## Next steps
 
 - Learn more about [How to control and steer calls with Call Automation](../call-automation/actions-for-call-control.md).
